Blocked SSH Traffic between vlans



  • Dear colleagues,
    I use pfsense as a firewall\router between vlans.

    
    *** Welcome to pfSense 1.2.3-RELEASE-pfSense on ruvozsonfw03 ***
    
      LAN*                     ->   vlan0   ->      192.168.250.238
      WAN*                     ->   vlan1   ->      172.16.0.2
      OPT2(vlan253)            ->   vlan2   ->      192.168.253.1
      OPT3(vlan256)            ->   vlan3   ->      192.168.253.33
      OPT1(vlan220)            ->   vlan4   ->      192.168.220.2
      OPT4(vlan258)            ->   vlan5   ->      192.168.253.97
    
    

    There is a router 172.16.0.1 after WAN interface which serves connection to host 192.168.253.67 (vlan257)

    could you explain me why I lost connection after 40 seconds to my SSH servers 192.168.253.67 from host 192.168.250.52
    Rules which lists in FW logs followed

    
    Oct  4 11:48:26 ruvozsonfw03 pf: 794199 rule 69/0(match): pass in on vlan0: (tos 0x0, ttl 128, id 43646, offset 0, flags [DF], proto TCP (6), length 48) 192.168.250.52.4594 > 192.168.253.67.22: S, cksum 0xd002 (correct), 147727228:147727228(0) win 64512 <mss 1460,nop,nop,sackok="">Oct  4 11:49:02 ruvozsonfw03 pf: 1\. 660361 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 51802, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.4594 > 192.168.253.67.22: P, cksum 0xdff6 (correct), 147735006:147735058(52) ack 1716799602 win 64512
    Oct  4 11:49:02 ruvozsonfw03 pf: 190302 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 58695, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.4594 > 192.168.253.67.22: P, cksum 0x4659 (correct), 52:104(52) ack 1 win 64512
    Oct  4 11:49:02 ruvozsonfw03 pf: 099681 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 526, offset 0, flags [DF], proto TCP (6), length 144) 192.168.250.52.4594 > 192.168.253.67.22: P, cksum 0xf6fc (correct), 0:104(104) ack 1 win 64512
    Oct  4 11:49:02 ruvozsonfw03 pf: 148366 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 54886, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.4594 > 192.168.253.67.22: P, cksum 0x2937 (correct), 104:156(52) ack 1 win 64512
    Oct  4 11:49:02 ruvozsonfw03 pf: 148978 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 22592, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.4594 > 192.168.253.67.22: P, cksum 0xca0e (correct), 156:208(52) ack 1 win 64512
    Oct  4 11:49:03 ruvozsonfw03 pf: 358951 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 17513, offset 0, flags [DF], proto TCP (6), length 248) 192.168.250.52.4594 > 192.168.253.67.22: P 0:208(208) ack 1 win 64512
    Oct  4 11:49:04 ruvozsonfw03 pf: 192552 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 26629, offset 0, flags [none], proto TCP (6), length 248) 192.168.250.52.4594 > 192.168.253.67.22: P 0:208(208) ack 1 win 64512
    Oct  4 11:49:05 ruvozsonfw03 pf: 394383 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 19043, offset 0, flags [none], proto TCP (6), length 248) 192.168.250.52.4594 > 192.168.253.67.22: P 0:208(208) ack 1 win 64512
    Oct  4 11:49:06 ruvozsonfw03 pf: 597495 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 7708, offset 0, flags [DF], proto TCP (6), length 248) 192.168.250.52.4594 > 192.168.253.67.22: P 0:208(208) ack 1 win 64512
    Oct  4 11:49:09 ruvozsonfw03 pf: 003889 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 56883, offset 0, flags [DF], proto TCP (6), length 248) 192.168.250.52.4594 > 192.168.253.67.22: P 0:208(208) ack 1 win 64512
    Oct  4 11:49:13 ruvozsonfw03 pf: 816474 rule 90/0(match): block in on vlan0: (tos 0x0, ttl 128, id 35699, offset 0, flags [DF], proto TCP (6), length 248) 192.168.250.52.4594 > 192.168.253.67.22: P 0:208(208) ack 1 win 64512</mss> 
    

    Another Example with another host:

    
    Oct  4 14:44:07 ruvozsonfw03 pf: 1\. 450187 rule 69/0(match): pass in on vlan0: (tos 0x0, ttl 128, id 22852, offset 0, flags [DF], proto TCP (6), length 48) 192.168.250.52.1956 > 192.168.253.68.22: S, cksum 0xe02b (correct), 639107158:639107158(0) win 64512 <mss 1460,nop,nop,sackok="">Oct  4 14:44:46 ruvozsonfw03 pf: 2\. 733951 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 4453, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xe388 (correct), 639112200:639112268(68) ack 3780764241 win 63780
    Oct  4 14:44:47 ruvozsonfw03 pf: 295170 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 56398, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xe388 (correct), 0:68(68) ack 1 win 63780
    Oct  4 14:44:47 ruvozsonfw03 pf: 603428 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 11015, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xe388 (correct), 0:68(68) ack 1 win 63780
    Oct  4 14:44:48 ruvozsonfw03 pf: 635385 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 39717, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xa132 (correct), 68:136(68) ack 1 win 63780
    Oct  4 14:44:49 ruvozsonfw03 pf: 412929 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 37492, offset 0, flags [none], proto TCP (6), length 176) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x49cc (correct), 0:136(136) ack 1 win 64512
    Oct  4 14:44:50 ruvozsonfw03 pf: 1\. 207187 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 48476, offset 0, flags [none], proto TCP (6), length 176) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x49cc (correct), 0:136(136) ack 1 win 64512
    Oct  4 14:44:51 ruvozsonfw03 pf: 1\. 207070 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 5978, offset 0, flags [DF], proto TCP (6), length 176) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x49cc (correct), 0:136(136) ack 1 win 64512
    Oct  4 14:44:51 ruvozsonfw03 pf: 438062 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 4167, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xd778 (correct), 136:188(52) ack 1 win 64512
    Oct  4 14:44:52 ruvozsonfw03 pf: 687445 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 3906, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x9ac5 (correct), 188:256(68) ack 1 win 64512
    Oct  4 14:44:52 ruvozsonfw03 pf: 216517 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 39261, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x035c (correct), 256:324(68) ack 1 win 64512
    Oct  4 14:44:53 ruvozsonfw03 pf: 143490 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 8744, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x0492 (correct), 324:392(68) ack 1 win 64512
    Oct  4 14:44:53 ruvozsonfw03 pf: 160247 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 22900, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xb2f6 (correct), 392:460(68) ack 1 win 64512
    Oct  4 14:44:53 ruvozsonfw03 pf: 593953 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 52250, offset 0, flags [DF], proto TCP (6), length 500) 192.168.250.52.1956 > 192.168.253.68.22: P 0:460(460) ack 1 win 64512
    Oct  4 14:44:56 ruvozsonfw03 pf: 3\. 055114 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 20323, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xfd8e (correct), 460:528(68) ack 1 win 64512
    Oct  4 14:44:57 ruvozsonfw03 pf: 360498 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 2828, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x96f5 (correct), 528:596(68) ack 1 win 64512
    Oct  4 14:44:57 ruvozsonfw03 pf: 151157 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 852, offset 0, flags [DF], proto TCP (6), length 108) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xedb1 (correct), 596:664(68) ack 1 win 64512
    Oct  4 14:44:58 ruvozsonfw03 pf: 736254 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 17417, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xed80 (correct), 664:716(52) ack 1 win 64512
    Oct  4 14:44:58 ruvozsonfw03 pf: 184074 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 3331, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x7167 (correct), 716:768(52) ack 1 win 64512
    Oct  4 14:44:58 ruvozsonfw03 pf: 131195 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 42008, offset 0, flags [DF], proto TCP (6), length 808) 192.168.250.52.1956 > 192.168.253.68.22: P 0:768(768) ack 1 win 64512
    Oct  4 14:45:04 ruvozsonfw03 pf: 6\. 243567 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 47118, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xa215 (correct), 768:820(52) ack 1 win 64512
    Oct  4 14:45:05 ruvozsonfw03 pf: 475699 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 62504, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x5e80 (correct), 820:872(52) ack 1 win 64512
    Oct  4 14:45:05 ruvozsonfw03 pf: 210753 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 24633, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0x7913 (correct), 872:924(52) ack 1 win 64512
    Oct  4 14:45:05 ruvozsonfw03 pf: 175958 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 18536, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xa126 (correct), 924:976(52) ack 1 win 64512
    Oct  4 14:45:05 ruvozsonfw03 pf: 180820 rule 91/0(match): block in on vlan0: (tos 0x0, ttl 128, id 44356, offset 0, flags [DF], proto TCP (6), length 92) 192.168.250.52.1956 > 192.168.253.68.22: P, cksum 0xb6bf (correct), 976:1028(52) ack 1 win 64512</mss> 
    

    I read carefully FAQ section about blocked retransmitted packets http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F
    but how to solve this problem?

    Many thanks for quick response.



  • What are the netmasks for the 3 interfaces configured with 192.168.253.x.

    What are your firewall rules for the source interface in question?


Log in to reply